Security Report
Application Name: MQv9x (OpenSource)
Business Impact: Medium
Report Name: MQv9x (OpenSource)_20200609_17_20_28
Summary of security issues High severity issues: 3 Medium severity issues: 6 ______Total security issues: 9
Table of Contents
Summary
Issues
Fix-Groups
Common Open Source: : ant.jar Common Open Source: : ant-junitlauncher.jar Common Open Source: : bcprov-jdk15on.jar Common Open Source: : commons-codec.jar
1 Common Open Source: : commons-collections.jar Common Open Source: : log4j.jar Common Open Source: : log4j-core.jar
Advisories
2
Summary
Total security issues: 9
Issue Types: 1
Number of Issues
OpenSource 9
Critical High Medium Low Informational
3
Issues - By Fix Groups:
M Common Open Source: : ant.jar
Fix Group ID: 38fc2e2c-da9c-ea11-86e9-00155d55406c Status: Undefined Date: 2020-05-23 09:45:55Z Library name: ant.jar Notes:
Advisory:
Issue 1 of 2
Issue ID: 3dfc2e2c-da9c-ea11-86e9-00155d55406c
Severity: Medium Status Open Classification Definitive Fix Group ID: 38fc2e2c-da9c-ea11-86e9-00155d55406c Location F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\ant\lib\ant.jar Source File F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\ant\lib\ant.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, May 23, 2020 Last Updated Monday, May 25, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945
Issue 1 of 2 - Details
Name: CVE-2020-1945
4 Description: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. Resolution: Upgrade to version org.apache.ant:ant:1.9.15,1.10.8 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945
Issue 1 of 2 - Audit Trail 05/23/2020 09:45:55 IssueTypeName: → OpenSource Status: → New Location: → F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\ant\lib\ant.jar Severity: → Medium Scanner: → AppScan Static Analyzer 05/25/2020 19:11:52 WMQ Infrastructure Status: New → Open TaskID
Issue 2 of 2
Issue ID: cd5fcdc7-e39c-ea11-86e9-00155d55406c
Severity: Medium Status Open Classification Definitive Fix Group ID: 38fc2e2c-da9c-ea11-86e9-00155d55406c Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, May 23, 2020 Last Updated Monday, May 25, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945
Issue 2 of 2 - Details
Name: CVE-2020-1945 Description: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. Resolution: Upgrade to version org.apache.ant:ant:1.9.15,1.10.8 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945
Issue 2 of 2 - Audit Trail 05/23/2020 10:54:33 IssueTypeName: → OpenSource Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant.jar Severity: → Medium
5 Scanner: → AppScan Static Analyzer 05/25/2020 19:11:55 WMQ Infrastructure Status: New → Open TaskID
M Common Open Source: : ant-junitlauncher.jar
Fix Group ID: 69557d0e-d9a7-ea11-86e9-00155d550e89 Status: Open Date: 2020-06-06 09:35:36Z Library name: ant-junitlauncher.jar Notes:
Advisory:
Issue 1 of 1
Issue ID: 6a557d0e-d9a7-ea11-86e9-00155d550e89
Severity: Medium Status Open Classification Definitive Fix Group ID: 69557d0e-d9a7-ea11-86e9-00155d550e89 Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant-junitlauncher.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant-junitlauncher.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, June 6, 2020 Last Updated Monday, June 8, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945
Issue 1 of 1 - Details
Name: CVE-2020-1945 Description: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. Resolution: Upgrade to version org.apache.ant:ant-junitlauncher:1.10.8;org.apache.ant:ant:1.9.15,1.10.8 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945
Issue 1 of 1 - Audit Trail 06/06/2020 09:35:36 IssueTypeName: → OpenSource
6 Status: → New Location: → F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\ant\lib\ant- junitlauncher.jar Severity: → Medium Scanner: → AppScan Static Analyzer 06/06/2020 09:42:54 Location: F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\ant\lib\ant- junitlauncher.jar → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant- junitlauncher.jar 06/08/2020 19:07:52 WMQ Infrastructure Status: New → Open TaskID
M Common Open Source: : bcprov-jdk15on.jar
Fix Group ID: 301afbae-d3ec-e911-b5e9-00155d550e89 Status: Undefined Date: 2019-10-12 09:36:02Z Library name: bcprov-jdk15on.jar Notes:
Advisory:
Issue 1 of 1
Issue ID: 9caed317-daa7-ea11-86e9-00155d550e89
Severity: Medium Status Open Classification Definitive Fix Group ID: 301afbae-d3ec-e911-b5e9-00155d550e89 Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/bcprov-jdk15on.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/bcprov-jdk15on.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, June 6, 2020 Last Updated Monday, June 8, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17359
Issue 1 of 1 - Details
Name: CVE-2019-17359
7 Description: The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. Resolution: Upgrade to version org.bouncycastle:bcprov-jdk15on:1.64 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17359
Issue 1 of 1 - Audit Trail 06/06/2020 09:42:54 IssueTypeName: → OpenSource Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/bcprov- jdk15on.jar Severity: → Medium Scanner: → AppScan Static Analyzer 06/08/2020 19:07:53 WMQ Infrastructure Status: New → Open TaskID
M Common Open Source: : commons-codec.jar
Fix Group ID: 9d942329-5c08-ea11-828b-00155d550e89 Status: Undefined Date: 2019-11-16 10:30:51Z Library name: commons-codec.jar Notes:
Advisory:
Issue 1 of 1
Issue ID: 7b6ddbf8-008e-ea11-a94c-00155d550e89
Severity: Medium Status Open Classification Definitive Fix Group ID: 9d942329-5c08-ea11-828b-00155d550e89 Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/commons-codec.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/commons-codec.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Monday, May 4, 2020 Last Updated Saturday, June 6, 2020 CVE https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8 b113
8 Issue 1 of 1 - Details
Name: 2019-0379 Description: Apache commons-codec before version ?commons-codec-1.13-RC1? is vulnerable to information disclosure due to Improper Input validation. Resolution: Upgrade to version 1.13-RC1 URL: https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113
Issue 1 of 1 - Audit Trail 05/04/2020 IssueTypeName: → OpenSource 12:15:45 Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/commons- codec.jar Severity: → Medium Scanner: → AppScan Static Analyzer 05/04/2020 WMQ Infrastructure Status: New → Open 19:05:39 TaskID
H Common Open Source: : commons-collections.jar
Fix Group ID: 37fc2e2c-da9c-ea11-86e9-00155d55406c Status: Open Date: 2020-05-23 09:45:55Z Library name: commons-collections.jar Notes:
Advisory:
Issue 1 of 2
9 Issue ID: d05fcdc7-e39c-ea11-86e9-00155d55406c
Severity: High Status Open Classification Definitive Fix Group ID: 37fc2e2c-da9c-ea11-86e9-00155d55406c Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/lib/commons-collections.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/lib/commons-collections.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, May 23, 2020 Last Updated Monday, May 25, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2017-15708
Issue 1 of 2 - Details
Name: CVE-2017-15708 Description: In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. Resolution: Upgrade to version org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons- collections:3.2.2 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2017-15708
Issue 1 of 2 - Audit Trail 05/23/2020 10:54:33 IssueTypeName: → OpenSource Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/lib/commons- collections.jar Severity: → High Scanner: → AppScan Static Analyzer 05/25/2020 19:11:55 WMQ Infrastructure Status: New → Open TaskID
Issue 2 of 2
10 Issue ID: 903d2732-da9c-ea11-86e9-00155d55406c
Severity: High Status Open Classification Definitive Fix Group ID: 37fc2e2c-da9c-ea11-86e9-00155d55406c Location F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\lib\commons-collections.jar Source File F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\lib\commons-collections.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, May 23, 2020 Last Updated Monday, May 25, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2017-15708
Issue 2 of 2 - Details
Name: CVE-2017-15708 Description: In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. Resolution: Upgrade to version org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons- collections:3.2.2 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2017-15708
Issue 2 of 2 - Audit Trail 05/23/2020 09:45:55 IssueTypeName: → OpenSource Status: → New Location: → F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\lib\commons- collections.jar Severity: → High Scanner: → AppScan Static Analyzer 05/25/2020 19:11:53 WMQ Infrastructure Status: New → Open TaskID
H Common Open Source: : log4j.jar
11 Fix Group ID: 2f8d06f4-5e34-ea11-add2-00155d550e89 Status: Undefined Date: 2020-01-11 10:41:49Z Library name: log4j.jar Notes:
Advisory:
Issue 1 of 1
Issue ID: 3e5203af-6d95-ea11-86e9-00155d55406c
Severity: High Status Open Classification Definitive Fix Group ID: 2f8d06f4-5e34-ea11-add2-00155d550e89 Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Wednesday, May 13, 2020 Last Updated Saturday, June 6, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17571
Issue 1 of 1 - Details
Name: CVE-2019-17571 Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. Resolution: Upgrade to version org.apache.logging.log4j:log4j-core:2.0-alpha1 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17571
Issue 1 of 1 - Audit Trail 05/13/2020 23:01:40 IssueTypeName: → OpenSource Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j.jar Severity: → High Scanner: → AppScan Static Analyzer 05/14/2020 09:32:23 WMQ Infrastructure Status: New → Open TaskID
12 M Common Open Source: : log4j-core.jar
Fix Group ID: c45fcdc7-e39c-ea11-86e9-00155d55406c Status: Open Date: 2020-05-23 10:54:33Z Library name: log4j-core.jar Notes:
Advisory:
Issue 1 of 1
Issue ID: c75fcdc7-e39c-ea11-86e9-00155d55406c
Severity: Medium Status Open Classification Definitive Fix Group ID: c45fcdc7-e39c-ea11-86e9-00155d55406c Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j-core.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j-core.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, May 23, 2020 Last Updated Saturday, June 6, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-9488
Issue 1 of 1 - Details
Name: CVE-2020-9488 Description: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Resolution: Upgrade to version org.apache.logging.log4j:log4j-core:2.13.2 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-9488
Issue 1 of 1 - Audit Trail 05/23/2020 10:54:33 IssueTypeName: → OpenSource Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j- core.jar Severity: → Medium Scanner: → AppScan Static Analyzer 05/25/2020 19:11:53 WMQ Infrastructure Status: New → Open TaskID
13
Advisories
14